RTL-level vulnerability detection in SoC security verification suffers from heavy reliance on manual effort, low efficiency, and poor generalizability. Method: This paper introduces the first open-source, hardware-security-focused large language model (LLM) fine-tuned for RTL vulnerability analysis. We construct the first open-source hardware vulnerability database and integrate Verilog/VHDL semantic understanding with domain-specific security knowledge to enable end-to-end reasoning from natural language descriptions to RTL vulnerability patterns. Contributions/Results: (1) The first LLM fine-tuning framework tailored for SoC security verification; (2) Automated, cross-IP-core reusable vulnerability identification; (3) High recall and interpretable alerts on mainstream SoC benchmarks. Experiments demonstrate significant improvements in detection efficiency and adaptability, overcoming key limitations of traditional manual-driven approaches.

The current landscape of system-on-chips (SoCs) security verification faces challenges due to manual, labor-intensive, and inflexible methodologies. These issues limit the scalability and effectiveness of security protocols, making bug detection at the Register-Transfer Level (RTL) difficult. This paper proposes a new framework named BugWhisperer that utilizes a specialized, fine-tuned Large Language Model (LLM) to address these challenges. By enhancing the LLM's hardware security knowledge and leveraging its capabilities for text inference and knowledge transfer, this approach automates and improves the adaptability and reusability of the verification process. We introduce an open-source, fine-tuned LLM specifically designed for detecting security vulnerabilities in SoC designs. Our findings demonstrate that this tailored LLM effectively enhances the efficiency and flexibility of the security verification process. Additionally, we introduce a comprehensive hardware vulnerability database that supports this work and will further assist the research community in enhancing the security verification process.